Your 'public' (and optionally 'guest') ESSID should have no wifi authentication on it. Basically clients connect to the 'public' ESSID then packetfence allows them access to the 'private' ESSID on successful authentication (via captive portal). Your public ESSID should have minimal services available (just enough to get people to the captive portal and fix whatever 'issues' they might have preventing them from getting authorised). Packetfence will control the VLAN assignment for clients via RADIUS attributes. Packetfence will throw clients off with SNMP deauthentication traps. I would not recommend hiding ESSIDs, it doesn't help with security and will confound your users.
I've created a "secure" ESSID on the Extricom wireless controllers that uses WPA/2 Enterprise, AES only with packetfence configured as the Radius authentication server.
In accordance with a guide found online I've also created a "public" ESSID that uses MAC Authentication, using the packetfence server for the radius authentication.
The secure ESSID is hidden. I'm not entirely sure what the purpose of having two set up is, does packetfence mediate between the two or do they both essentially do the same, one connection just being encrypted?